Host Header Manipulation

Last updated 4 months ago

TLDR; Host header obfuscation

When attacking a target, you never know what sort of rules the blue team has in place to detect you. With a rise in Domain Fronting, which meant that more people were manipuating host headers, I decided to look a bit more into what you can do with a host header!

You can change the header

Everyone knows you can modify the host header. As long as the CDN can parse the host header, we can use the CDN to route our traffic to a chosen endpoint. What we haven't really spoke about in the public domain is the format in which we can place the host header, and still make it route to the endpoint. In this blog post I'm going to highlight some basic ideas for you to add to your Domain Fronting skill-set and allow you to potentially cause some extra havoc to the Blue Team who's analysing your traffic.

The Test Environment

Here I'm using Google App Engine and CloudFront. There's many more CDNs out there such as Alibaba, so there's much more research to be done. I'm not going to go into exact specifics and what techniques work on which environment, that's for the user to find out.

Arbitrary Naming

I've already covered this before in previous posts, but you can essentially use arbitrary CNAMEs to refer to your instance. As seen here and here Try converting:

Host: abcdefghijk.cloudfront.net

to:

Host: nice.try.but.no

Spaces

We all love white space, don't we? Try converting:

Host: nice.try.but.no

to:

Host: nice.try.but.no

or even removing the space Host:nice.try.but.no:

Heck, even stuff like %1c and %1f that decodes to some control character, works!

Why not stick an up arrow in?

Combine it together and you got a bit of:

Dots

Some Content Delivery Networks will let you use Host: nice.try.but.no................and it will still work!

New Lines

Good old header injection works in some Content Delivery Networks! Check out the following request and response! Just stick a %0d at the end of the header.
Request:

Response:

Combining it all together

Conclusion

You can inject a ton of characters, including new lines at the front and end of the Host header to add additional complexity for the Blue Team to be able to detect domain fronting even when doing TLS interception if there's no host header re-write.